Archive for January 2018

Lenovo has released a security advisory about some serious security issues (a holy trinity of weak encryption, hardcoded password, and access without admin authentification) with their Windows-based Fingerprint Manager Pro software. So, if you are running Windows on your Lenovo (why, oh why would you shoot yourself in the foot like that?) and have not deactivated the fingerprint sensor anyway, since biometric security is insecure as fuck and nothing beats a proper password, you should probably take a look.

NSA No Longer Honest

Wed, Jan 24, 2018

Now, before you go all “NO SHIT!” on me, not too long ago the mission statement of the NSA cited four core values: Honesty, Respect for the Law, Integrity, and Transparency. Since you just read this, I will give you a minute to get your snickering under control…. got it? … can we move on? … ok, thanks.

So now the current version of the updated core values cites six core values: Commitment to Service, Respect for the Law, Integrity, Transparency, Respect for People, and Accountability. Gone is the honesty, we never used that one anyway, right? The same sinking ship also took “honor the public’s need for openness” with it. Convenient!

Also of interest is that, with the new and revised core values, Respect for People only applies to NSA personnel and Transparency only applies to “those who authorize and oversee NSA’s work”.

Israel Going for Border Creep

Tue, Jan 23, 2018

According to The Intercept Israel is silently expanding its territory behind the Golan heights because they want to set up a “buffer zone”. Of course the israeli official interviewed denies this and claims all they are doing is delivering “humanitarian aid” and “strengthen stability”. Since this kind of reasoning is basically the same Putin used for his invasion of Crimea this has to be bad, right? I mean it’s not just bad if the Russians do it, or is it? Maybe China could just annex Nepal, occupy it for a few decades and then move on to India because you got to keep those buffer humanitarian aid zones coming!

Well, not exactly the worm, more like small game. Turns out that arson is one of the preferred methods of hunting for birds of prey like hawks or falcons in Australia. There’s a six-year study out that documents these birds taking burning sticks or embers and carrying them into dry grass in order to start wildfires. Their goal is to scare small game out of the bush for more effective hunting.

Dubbed firehawks, these birds give firefighters a headache as they can carry burning material accross firebreaks. Arson in the animal kingdom… who would’ve thought. :) Also, FIREHAWKS makes for a much better team name than Power Rangers I think.

Mozilla released a statement about how they plan to play an important role in getting more encryption out there. Especially since services like Let’s Encrypt make it blatantly easy (and free of charge) to obtain a properly signed certificate Mozilla announced that

Effective immediately, all new features that are web-exposed are to be restricted to secure contexts. Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc.

This is awesome! Want that new shiny property that makes your website look all flashy? You better serve it via SSL then. I actually do know quite a few marketing-type “webdesigners” that have no clue about proper website security. Also they usually don’t give a fuck. “Why should I go through the trouble and serve everything via SSL? I’d rather spend time on implementing <insert useless feature that makes the website even more cluttered here>.”

Well now you have to care about encryption if you want the masses to see your stuff. Very nice move from Mozilla.

Sex on the Blockchain

Thu, Jan 11, 2018

We have officially reached the point in the evolution of mankind where it might soon be possible to use a blockchain powered mobile app in order to set up a legally binding contract before proceeding to more delicate matters.

Money quote:

Escalate a breach with a single click, triggering cease and desist letters and enforcing penalty payments

Maybe this will be just the start. Perhaps, in a couple of years from now, the way people go for a fling will be along the lines of “So, my lawyer is going to talk to your lawyer and then, after we sign the contract in two weeks, we can fuck?”. Which actually is just a small step up from “Ohh, Babe, wait a second, you have to swipe here and give me at least 2 hours of consent before we can go any further!”.

I’m actually still hoping this is a hoax but would it surprise me if it wasn’t? No, not really. Romance, RIP 2018.

James Damore Sues Google

Tue, Jan 9, 2018

James Damore, the engineer that got fired by Google for writing an internal memo about how there is an aura of fear amongst Google employes of being fired for expressing conservative or even just scientific views about the whole gender debate (note the irony), has just filed a case against his former employer (and here is the suit) for discrimination.

It will be interesting to see how this pans out. Apparently the suit (linked above) contains numerous screenshots of interesting things going on. In addition to marvels in the text, as in Google paying a so called peer bonus where a colleague can recommend another colleague for a bonus because that colleague spoke out against the values in Damore’s memo. Oddly reminiscent of Trumps let’s-buy-UN-votes tactics.

Overall, the second half of the suit is riddled with screenshots of things posted on the internal google newsgroups and message groups. It actually paints a pretty clear picture of who is discriminating against who.

PC-Wahl Hack by the CCC

Mon, Jan 1, 2018

Last year, the Chaos Computer Club (CCC) hacked the software which was used in the German national elections. They made their findings public before the elections took place but the software, riddled with vulnerabilities, was still used. During the most recent Chaos Communication Congress the involved researchers gave a nice talk (German) (also available with English dubbed audio) on the subject which I can recommend as it is not only informative but entertaining as well. Also you do not have to be a hacker or programmer to understand this. While they do have some technical slides, on the whole this is very digestable even for non-professionals.

After all, this software (or something equally insecure) might be used in your country as well.